Krebs on Security

In-depth security news and investigation

Firms Could Be Forced to Disgorge Profits from Tax Refund Fraud

Last week, KrebsOnSecurity ran an interview with Julie Magee, Alabama’s chief tax administrator, to examine what the states are doing in tandem with the IRS and others to make it harder for ID thieves to commit tax refund fraud — a $6 billion a year problem. Today we’ll hear from John Valentine, chair of Utah’s State Tax Commission, about the challenges his state faced this year, as well as the prospect that tax preparation firms could be forced return to the U.S. Treasury any profits they make from processing fraudulent tax refunds.

Valentine was a tax attorney before being appointed the chair of Utah’s tax commission, so he’s familiar with the challenges facing both the tax preparation industry as well as the tax agencies.

“I came out of the private sector and spent nearly 40 years suing the state tax commission and the IRS,” Valentine said. “Now I am that.”

Utah is actively engaged in an IRS task force made up of state, federal and industry tax experts trying to quash refund fraud. Like Alabama’s deputy tax commissioner Joe Garrett — who had a $7,700 fraudulent refund filed in his name — several of Utah’s senior tax administration officials also were victimized by ID thieves this year.

“We’ve had some of our senior people who had tax returns filed on their behalf,” Valentine said. “Of course, they had not filed them yet and we knew that they were more than a little suspicious.”

Among the steps the task force is considering is whether to mail all taxpayers an Identity Protection Personal Identification Number (IP PIN) that is tied to each taxpayer and must be included in each tax return. The IRS issues the IP PINs to taxpayers who have suffered tax return fraud. Additionally, consumers willing to swear they have been victims of identity theft can apply for a filing PIN, however the IRS is picky about granting those requests.

Even if the IRS were to switch to issuing IP PINs to all taxpayers, the agency would still run up against the thorny problem of how to verify consumers’ identity (no doubt, that challenge would be exacerbated by millions of taxpayers phoning the IRS after losing or misplacing their assigned PINs). A major focus of the working groups attention is finding better ways to authenticate people beyond merely requesting static identifiers (Social Security numbers, dates of birth) and other data that is frequently exposed in data breaches and is readily for sale on underground markets.

“They’re going to have to switch to a 2-factor authentication system, where they really strengthen the front-end of that authentication,” Valentine said of the tax preparation firms like TurboTax, which briefly shut down all state tax filing this year after a massive spike in phony refund requests put through its systems via hijacked and fraudulently created TurboTax accounts.

Valentine also made the decision to halt all Utah tax refunds around that same time.

“When we installed our [anti-fraud] analytics program, we thought we were getting a lot of false positives, so we did a bunch of back checking,” he said “While we were doing that, I made a decision to stop all refunds. For a period of two weeks Utah gave no refunds while we worked through the analytics to make sure we’d identified the nature and extent of the fraud. It turned out to be much more extensive than we’ve ever seen.”

In fact, ten times as much as any year prior, according to Valentine.

“We’ve always seen fraud where a tax practitioner will file a whole bunch of fraudulent returns, or we’ll see ID theft targeting a large employer. But this fraud wave was a little tougher, because it went across spectrum of employers, across the entire demographic of taxpayers, high low and middle income. Also, the fraud wasn’t regionalized — it was across the whole state — and [the fraudsters] didn’t seem to be selective as to who they hit. They got people of notoriety and people nobody knew. In the end, it appeared that the common factor among all of them was how you filed in 2013,” because the phony 2014 returns all included nearly identical information as the victim’s 2013 returns.

“What we saw in Utah was a population of the same information in the 2013 return into the 2014 return, with the exception of bank routing and bank account number,” Valentine said. “That’s a different fraud that we’d just never seen before.”

In March, Valentine testified on Capitol Hill on the tax fraud issue, and he urged lawmakers to change the way prepaid cards are numbered so that banks and tax administrators can more easily block or filter refunds destined for prepaid debit cards — the money laundering vehicle of choice for virtually all fraudulent refund requests.

Prepaids are notoriously easy for crooks to use for tax fraud because the process for opening a new prepaid and using it to receive funds can be done anonymously, unlike opening a new checking account at a local bank branch. When the refunds get deposited to prepaids, crooks can then very easily and anonymously use them as cash or to withdraw money at ATMs.

“The process for opening a prepaid debit card appears to be very easy,” Valentine said. “The normal ‘know your customer’ rules [that banks typically are required to follow] appear to be glossed over with this industry.”

Specifically, Valentine proposed modifying the routing number on prepaid cards so that the cards would be more easily distinguishable from debit cards attached to actual checking and savings accounts. Valentine said his suggestion was followed by many head nods by lawmakers in the committee hearing, but so far there doesn’t appear to have been any movement to change the status quo.

And that inertia seems to suit the prepaid card industry just fine. Brad Fauss, interim executive director and general counsel of the Network Branded Prepaid Card Association, said
the NBPCA believes that the key to solving identity theft tax refund fraud is to attack the problem at its source – where the identification credentials are compromised – rather than focusing on the method of disbursement after the fraud has occurred.

“Separately tracking routing and transit numbers, or RTNs, for prepaid accounts is impractical because financial institutions often use the same RTN’s for multiple banking products, such as checking accounts and prepaid cards, and fundamentally falls short since it will not stop fraud but will only prompt fraudsters to utilize alternative disbursement vehicles,” Fauss said.

Nevertheless, tax return fraud could become a dicey legal and financial quagmire for banks, tax preparation firms and prepaid card providers, each of which charge hefty fees for processing such transactions (see this story for a breakdown of how these companies are profiting from refund fraud).

Asked whether he was aware of anyone urging or requiring financial and tax providers to disgorge profits from tax refunds they process that turn out to be fraudulent, the formerly litigious tax attorney said these firms should be very concerned about that risk.

“I’m not aware of anyone calling for that, no, but under general principles of law, that’s one that would be a normal recourse,” he said. “Coming from the private sector, that would be the type of thing you would normally expect to see someone asserting. If I were general counsel for these third-party vendors, I would be saying, ‘Man, we run exposure here for disgorgement of fees that were from fraudulent returns, so we’ve got to clean this up right away.’”

This entry was posted on Tuesday, June 9th, 2015 at 8:03 am and is filed under Tax Refund Fraud, The Coming Storm.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

“The receiver of the document can come into court with the signed document and prove to a judge that the document is legitimate,” he said. “That person can recognize the signature but could not have created the signature.”

When PGP is distributes as packaged technology in critical applications we will be taking a big step to reducing fraud which is based on stolen identity data such as name, address, Social Security Number, Date of Birth, & c

the critical need is for every user to have a key pair authenticated for business use such as filing Forms 1040.

to do this key validation should be a service offered by local credit unions and banks — which we all already use — and which are already in the business of validating identity .

People rely on unsafe software made by intuit.
If the IRS really has been hacked, it is due to lack of security in Intuit software.
the talk that Russia or China may have carried out the process of hacking it is all false story.
after bribing investigators in the case of Intuit tax fraud and was then fabricating the story to cover up the intended security leaks in Inuit’s products and the truth about that the IRS hacked from inside Intuit by well known employees.

Intuit Tax Fraud story started after i had reported the security leaks in QuickBooks.
After that what happened is a considerable disagreement between the Ex-employee so-called the whistleblower and between managers.
why? Because the Ex-employee and some IT security Engineers Concealed my report about six months.

How about if the Fed and state taxing authorities just stopped giving out refunds via prepaid cards? Why make it so easy for the bad guys and so difficult to trace where the money is going? At least with electronic transfers and/or checks, legal authorities can get more information from the banks…

However the problems seems to be, refunds through automated transfers don’t include a name-address check. And as such they can be routed to a nameless prepaid debit card as well.

So hence the proposal in the article to change the routing number and/or numbering of the prepaid cards so the IRS and state equivalents can detect just by looking at the number.

Of course, thsi makes me wondert why *I* need to fill out a name-address when I make a bank fund transfer, if apparently this is not needed or checked when making a transfer? After all, if the IRS would simply check if the bank account is in the name of one of the persons on the return it would also solve the issue.

Of course companies like H&R Bock would be hit by that, as they often take your refund and give you a prepaid card up front.

So changing the routing number of card numbering seems to be the method that is least disruptive. But I’d personally go with named accounts/checks as the only way to get a refund.

Apparently this is already required for receiving federal benefits (Social Security, Veterans Affairs, others) if someone does not have a bank account for direct deposit. No more paper checks for federal benefits.

> Prepaid cards – The ease at which crooks cash out via prepaid cards isn’t the issue and going down the road of making all financial transaction traceable isn’t the solution. That’s simply a cheap reactive hack for law enforcement. It’s akin to putting a camera on every street corner, and microphones in every home. Sure, we can solve more crimes this way, but for me, it’s not worth the cost. I’d prefer the relevant entities make an effort to get security right in the first place.

Of course mr Fauss is not happy about the idea of blocking prepaid debit. Reality is that this together with similar cards like ‘gift cards’ is pretty much the bulk of the fraud returns. So the idea they’ll move to other vehicles is simply untrue.

Like the article says opening a normal bank account is much harder. Also customers who have fraud alerts, credit monitoring or Brian’s previous article suggests credit freezes will be alerted or perhaps even saved.

And crooks cannot dump multiple refunds into one account, so they have to pretty much open a new account for every fraud.

Basicly, make refunds only on named accounts and named checks and the issue is mostly gone. Or better stated, back to a more managed level as it returns to special targetted attacks which are easier to spot and more time consuming for a crook to pull off.

This punishes the poor/unbanked, of which the US has tens of millions.

Perhaps the IRS should make it more difficult to obtain my tax transcript, which is really the catalyst for this type of fraud to happen.

Limiting the way a US citizen can gain access to their own money is punishing the citizen for the transgressions of the IRS, Intuit, etc. I tend to think perhaps the IRS should have to find a way to curtail the fraud, not me.

Bank accounts are cheap and you can always pay the small check fee. You cannot for eternity use the excuse of not having a bank account. Especially since it costs the IRS so much. It’s 2015, not 1985 or so…

The biggest challenge to fighting or stopping tax fraud is profits. Most companies have no incentive to stop or help prevent fraud as Intuit has shown the fraud does not stop it just moves somewhere else and they loose there share of fraud profits. There needs to be some sort of penalty for not reporting or doing anything to help prevent fraud. like making the tax companies who knowingly allow a phony refund to pass make them pay for the refund. or at least any phony or fraud refunds that pass through any profits made get returned to the IRS.
Bad guys will continue to file phony refunds and collect the profits. IRS can make changes to how it verifies people but remember this. If the information is available to the IRS to verify you then there is another company full of information just begging to get hacked and BAM! bad guys have all the information needed to file phoney refunds.

Whatever is decided its clear something has to be done and fast since fraud is growing experimentally around the country over tax refunds. I’d like to see all refunds sent to a local Post Office and the clerk handing them out asking for picture ID like a drivers license. Taxing agencies have made it too easy to defraud them in the name of convenience. At the post office window with a key pad you could deposit the check directly into your bank account by bringing a copy of your personal check for routing. Its clear all the other features have their own problems and the post office would welcome the business.

As an American, I file income taxes to the US every year (and will continue to do so until I die, in fact, there will be at least one filed after I die…).

FWIW, it’s possible to be a natural born American and have never resided in or even visited the USA (this doesn’t apply to me — it’s a property of an American living abroad and having children [1]).

Do you propose that my refund be sent to a USPS office within the USA? It would be fairly expensive for me to retrieve my refund (at least $600, not counting hotel stays, vacation requirements from my employer as applicable, or other government imposed penalties for being out of my country of residence).

Oh, I’ve never had a driver’s license. But do you really think a USPS clerk wants to be responsible for verifying my foreign driver’s license (which could very well be written in a non Latin language) if I manage to get one? (I haven’t actually lived in a country where this applies, but I have considered it, and I’m eligible to do so at any time.) There are 50 states, plus DC and ~5 other territories, most of whom issue both a Driver’s License and an alternate photo ID, expecting a clerk to validate those 100+ IDs is pretty bad, and again, not everyone has any of them (I have a couple of expired IDs from various US locations, but they’re expired…). Note that you can earn enough income to need to pay taxes long before you’re eligible for a driver’s license (not a problem I had either, but it happens).

Worse, in the case where my refund exceeded certain values (it hasn’t — I’m not remotely wealthy enough to hit such things), I could be hit with amusing currency controls when I try to return to my country of residence.

Also, getting to a post office isn’t easy for many people. It’s really hard for many elderly people to get out of their house– they’re very thankful for having the US Postal Service perform delivery.

Yes, fraud is a big problem. No, the solution you’re proposing isn’t the right approach.

Should bank accounts tied to prepaid cards be easily identifiable? Probably. Although do note: phone numbers in the US are intentionally not distinguishable between cellular and land lines — to prevent discrimination — this is unlike in other countries where people are in fact discriminated against based on their type of phone (rates can be higher/lower based on whether you’re calling to/from a cell/landline). In general, the US isn’t a big fan of discrimination (which isn’t to say it isn’t practiced, we just generally try to make it hard for overt discrimination to be practiced).

Should identity pins be issued to all US taxpayers? Yes.
Should the law governing the IRS be changed such that it isn’t required to issue refunds before it has a chance to receive the forms it uses to validate income? Absolutely

Are there costs to these? Unfortunately — some people live month to month and depend on their refund arriving by a certain date. Also, people will lose their IP Pins, and some people won’t have a fixed address (my address changes periodically, the one that the IRS/SSA has for me currently isn’t valid).

Plus, we already have, a private identdy pin. Its called a social security number. By law, it is not for any identity purposes. Therefore, their has to be another number issued by the government, oops, there is. But we don’t use it either. A draft number. And a taxpayer identification number, some are calling for a two number verification, how about a three factor system.

Over a milion US citizens not living in the US. That is on top of movers.

If you’re not living in the US, but are a citizen (and certain residents who move on a temp basis) you MUST still file every year regardless if you need to pay or not. Even if you had no income, you must still file.

Typically you won’t owe taxes unless you live in a low tax country and have high earnings (as there is a treshold below which you don’t need to pay UAS taxes regardless). There are not many places in the worls where you can earn high wages *and* have lower taxes than in the US. But you must still file.

One other reason is also IRA rules. You cannot use an IRA (tax deductable ort not) if you have no earned income. If you want to contribute you must file.

If you ever move back and have not filed, you could end up in trouble.

So physical post offices don’t work. Also they are not needed. The problem is the unnamed prepaid debit cards, not so much the rest.

All of this could be avoided if we eliminated tax withholding and tax payers had to pay the IRS with a check, credit card, or money transfer. Additionally, the tax system should not be used for welfare and no one should get a payout from the IRS. Put the burden on the IRS to collect the money and them deal with accepting money from fraudulent sources.

Withholding is a good thing, it makes it easier for people to generally not try to defraud the government.

There are other problems — it means that everyone has to maintain a bank account (many don’t have bank accounts, and bank accounts are often not free), and essentially keep money in escrow — being careful not to spend money that isn’t really theirs — because it’s reserved for taxes.

A significant portion of the population can’t balance books / avoid overdrafting their bank account / avoid going into credit card debt. Giving people money and saying “you can’t spend this” is a recipe for disaster.

Personal responsibility is called for. Just because some people are financially irresponsible doesn’t mean everyone has to suffer. I see no problems with a person taking a bus to the nearest IRS office, post office, or other similar location and paying their taxes in cash if needed. If a person is unable to save money and ends up with no money to pay their taxes, I am certain the IRS would be happy to put them on a payment plan and tack on a penalty or two. Perhaps at that point the money is withheld from their paycheck. I believe that as soon as people are more in tune with how little or much money they are forced to give to the government, the better our society will be.

Wow, you really have no idea what it’s like to be part of the working poor, do you?

Take a bus to the IRS office = “take a day off from your job, that you cannot afford to miss a single hour, to take a bus and wait at the IRS office all day”

“I don’t see why everyone has to suffer” + “I’m sure the IRS would be happy to garnish their wages and tack on a penalty or two”… So, basically you just want to do the same thing, but push it ahead a year and not call it “withholding.”

Under which plan, withholding or no withholding, is there more suffering? I see your plan as causing far more.

We used to have a system when we pay the government when we file tax return until WW2 came along which the government instituted withholding system and they kept in place for the convenience of paying your taxes.

It should noted that people have no concept of understanding finances to manage their taxes due in one lump sum when they file their returns. I hear complaints from people why their relatives have to pay taxes in a lump sum to the government neglecting to mention they did not utilize the withholding to make it easier.

Looks like none in whole US cares where billions of fraud is going, automated and anonymous schemes are valid.
In the same time in Europe all banks fulfill the US (!) legislation and are tracking the cash and follows “know your customer” procedure… But not in US. It is strange and sound deliberate.

There are ways to fix all of this. It’s more that no one in authority actually wants to. It’s alot like the immigration problem.

As far as the digital side of the equation…..
Why hasn’t an update fixed anything yet? With all the advancements in Windows (including getting rid of XP) and given how much more secure Mac is, Since we are all being forced (or rather strongly suggested) into HTTPS, Since we now have HTML5 and are making significant headway into IPV6, and we’ve all learned our lessons from the “I Love You” virus and Heartbleed and Stuxnet, Since we no longer open email from unknown sources (and no longer used the preview pane), Since we all know we can fully trust icloud, Since everyone is moving to the safer computing environment in tablets and smart phones……

Thanks for the link to the “IRS is picky about granting [PIN] requests”!
Now I understand *why* they didn’t send me a PIN.
Seems pretty short-sighted, though… I’ve had my main credit card lifted three times, I was part of the Anthem heist, and — as we all pretty well know already — our info is readily available for sale anyway.
If I’m able to keep track of my PINs for the various credit freezes, why wouldn’t I be able to do the same for an IRS PIN?
So, we have to be a victim of identity thief in order to get an IRS PIN?
Really?

Note though that the article Brian refered to does not actually explain why you didn’t get a PIN *on request*. It only explains they are only issuing it to people in certain states or (some?) people who were confirmed tax-refund fraude cases. And half of the get transcript victims will also get a PIN.

You can always request a PIN yourself using their form.

But in general they cannot issue more as they don’t have the capacity to role this out nation wide.

Also note the PIN is issued only later in tax seaon, so you cannot early file and hence delaying a possible refund. That is also bad if you don’t owe a refund but need to pay them as interest and penalties keep accumulating. Granted these are typically small numbers, but a PIN has downsides as well.

In general though the IRS does have much more secure systems imn place. E.g. for their electronic transfer they have combination of a PIN, which is send only to last years address when registering online and a password you chose. That system would eliminate most tax frauds as well, but doesn’t scale. That is the core issue, the IRS does not have the capacity or funds to quickly change their legacy system to soemthing more secure.

Last also note many people would dislike more secure systems as it is less convenient. People forget PIN’s, wait to file until the last day, lost last years AGI, etc etc. Many people will complain and complain when it is made more secure.

Many interesting comments …. There is always a rash response to simply do away with products in response to problems (this case fraud) without regard to consequences. Not advocating for the return of them, but consumer groups cried if Refund Anticipation Loans went away, fraud in the tax system would go away. Au contraire. When RALs were forced out of business, the major banks offering them exited the tax space. Along with that exit was their obligation (by law) to protect bank assets (loans). Consequently refund fraud increased 4 fold and rising. You may agree or disagree with bank products at tax time …but the fact is that (regulated) banks and financial institutions have better anti-fraud (or more up to date technologies) than most industries. The government should seek to partner in the process and work with industry to combine the best anti-fraud strategies. Commissioner Koskinen’s Fraud Summit is seeking to do just that. Keeping the legitimate players close mitigates an environment akin to the Wild West where fraud is concerned. Pushing legitimate products out of the space will only spawn shadow fraud to occur. ….like the old-time refund discounting where nobody had any oversight and refund fraud was conducted in the back allies (ie: Here’s $1000 now and you give me your $2500 refund check when it comes – or else). Finally, it’s always interesting to listen to people say “hey, get a bank account and these problems go away”. Walk a mile in a lower income taxpayer’s shoes and you will find many (most) don’t even want a bank account. They conduct their affairs very different – and that’s their right to do so. Forcing them into a space they feel uncomfortable with to start with only breeds more reason to scam and sidestep the system. Buyer beware …. the knee-jerk reaction is usually the worst solution. My .02. BTW: there are no profits on fraud accounts. … there is a cost to fighting and identifying fraud that outweighs the margin.

Yes, tax refund fraud is a complex problem. But if everyone involved refuses to up their security and just says “The bad guys will only go elsewhere if we clean up our act,” there’s not much chance of improvement.

Prepaid cards ARE part of the problem. They’re easy to acquire and untraceable, which makes it easy for crooks to make off with your refund.

However the IRS could definitely do a better job. My payments (and the occasional refund haha) were for years always from/to the same account numbers. Shouldn’t it have raised a red flag when suddenly they were changed to an untraceable account?! Apparently not — the IRS gladly gave the crooks my $4K.

One super easy way to stop tax refund fraud cold: don’t issue ANY refunds until after April 15th. Then all duplicate returns will be accounted for (and hopefully resolved) BEFORE wiring a single dollar in fraudulent money.

This might anger early filers, but pay them interest. The wait might be worth the BILLIONS in lost taxpayer dollars annually.

The IRS is already assigned penalties by law for not returning refunds fast enough, that’s where half of this mess came from in the first place.

Things we need to do:
1. Fix that law (and change things so that the IRS has the time to reconcile W2/W4s before it issues refunds)
2. Make it easier for the IRS (not necessarily everyone else, see my discrimination note) to determine if an account is unverified/not directly assigned to a real person
3. Provide penalties (with a double/triple factor) and make it easy to enforce them for being involved in refund fraud (this would be to the tax preparers, the banks that handle the refunds, etc.) — probably on the order of (refund + $100) * 3 w/ a penalty of $100,000 * number of fraudulent payments via the vendor if the number of fraudulent payments exceeds 100 (the floor here ensures that small businesses aren’t penalized, and should ensure that big businesses put serious resources into identifying, flagging, and preventing them).
4. Ensure that preparers/refund processors are given enough permission to disclose enough information to the IRS w/o penalty when they suspect fraud.
5. Offer Postal Banking to all US residents [1]. Unlike other people’s suggestions on this page, it does provide for a way to take advantage of the existence of the USPS (it has lots of locations around the US, and reaches most US residents multiple times a week), but it doesn’t penalize those of us who can’t reach a USPS branch. Note that Postal Banking does require identification (I used a Postal Bank in France — I showed my Passport and retrieved a US originated wire transfer), so it wouldn’t necessarily become a primary fraud outlet — and the USPS already has its own police force (USPS OIG [2]).
6. The IRS should be issuing a 2FA system for filing tax returns to every tax payer, that’s roughly the IP PIN that they’re currently issuing.
7. Funding has to be provided to the IRS to allow them to do stuff (they’ve been actively starved by Congress of late).

Brian, why isn’t there a push to implement a national Public Key Infrastructure? Issuing and using X.509 certificates within a PKI would assure authentication, eliminate impersonation, support encryption, allow digital signatures and provide non-repudiation of transactions.

I’m guessing that the main deterrent to a national PKI is the cost, and the potential difficulty of individuals managing their private key on some device, and maintaining a reasonable and useable certificate revocation list (CRL). Perhaps the ongoing cost of fraud will soon make a national PKI an attainable goal?

I worked on a 100,000 person PKI at a government agency and we successfully implemented secure single-signon, encrypted email (within the agency) and digital signing of electronic documents.

I would love to have a single “smart card” to insert in a card reader on my laptop which would authenticate me to all of my email and other Internet accounts, encrypt my email and protect all of my financial transactions. I would pay a reasonable annual fee for a viable PKI.